2386885 – (CVE-2024-8244) CVE-2024-8244 golang:path/filepath: Golang Walk/WalkDir symlink race

Bug 2386885 (CVE-2024-8244) - CVE-2024-8244 golang:path/filepath: Golang Walk/WalkDir symlink race

Summary: CVE-2024-8244 golang:path/filepath: Golang Walk/WalkDir symlink race

Keywords:
Status:	NEW
Alias:	CVE-2024-8244
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-06 16:01 UTC by OSIDB Bzimport
Modified:	2025-08-06 19:53 UTC (History)
CC List:	171 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-06 16:01:19 UTC

The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links, but both functions are susceptible to a TOCTOU (time of check/time of use) race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress.

Note You need to log in before you can comment on or make changes to this bug.

aaguirre
aazores
abarbaro
abrianik
adistefa
akostadi
akoudelk
alazarot
alcohan
amasferr
amctagga
anjoseph
anpicker
ansmith
anthomas
aoconnor
asatyam
ataylor
bdettelb
bkabrda
bniver
bparees
brainfor
cbartlet
chfoley
ckandaga
cmah
crizzo
ddahlem
dhanak
diagrawa
dmayorov
doconnor
drosa
dsimansk
dymurray
eaguilar
ebaron
eglynn
ehelms
ehernand
fdeutsch
flucifre
fspolti
ggainey
ggrzybek
gmeno
gparvin
gryan
gzaronik
haoli
hasun
hdefazio
hkataria
ibolton
jaharrin
jajackso
jburrell
jcammara
jcantril
jchui
jeder
jfula
jhe
jjoyce
jkoehler
jlledo
jmatthew
jmitchel
jmontleo
jneedle
jolong
jowilson
jprabhak
jschluet
jscholz
juwatts
jwendell
kegrant
kingland
koliveir
kshier
ktsao
kverlaen
lball
lbragsta
lchilton
ldai
lgamliel
lhh
lphiri
lsharar
lsvaty
lucarval
mabashia
manissin
matzew
mbenjamin
mbocek
mburns
mgarciac
mhackett
mhulan
mkudlej
mmakovy
mnovotny
mrunge
mwringe
nboldt
ngough
njean
nmoumoul
nyancey
ometelka
oramraz
osousa
owatkins
pahickey
pamccart
paoconno
parichar
pbraun
pcreech
peholase
pgaikwad
pgrist
pjindal
psrna
ptisnovs
pvasanth
rcardoso
rcernich
rchan
rfreiman
rhaigner
rjohnson
rojacob
sabiswas
sakbas
sausingh
sdawley
sfeifer
shvarugh
simaishi
slucidi
smallamp
smcdonal
smullick
sostapov
sseago
stcannon
stirabos
swoodman
syedriko
szaher
tasato
teagle
tfister
thason
thavo
tjochec
tmalecek
vereddy
veshanka
vimartin
wenshen
whayutin
wtam
xdharmai
xiyuan
yguenane